Endpoint Detection & Response is Not Enough for Your Business

Oct 19, 2021

What is an Endpoint?

An endpoint is a remote computing device that communicates back and forth with the network that it is connected to. Endpoints can be desktops, laptops, smartphones, tablets, servers, printers, and other IoT devices.

What is Endpoint Detection & Response?

Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. Anton Chuvakin at Gartner recommended the term to define emerging security systems that identify and examine suspicious activities on hosts and endpoints, employing a great degree of automation to enable security teams to identify and respond to threats quickly.

The primary functions of an EDR security system are to:

  • Monitor and collect activity data from endpoints that may indicate a threat
  • Analyze data to identify threat patterns
  • Automatically respond to identified threats and remove or contain them, and notify security personnel
  • Forensics and analysis tools to research identified threats and search for suspicious activity


Why Do You Need Endpoint Detection & Response?

As many workforces take on a more permanent hybrid model, more users connect to internal resources from off-premises endpoints worldwide, making endpoints increasingly susceptible to cyberattacks. 

The following is a list of ways attackers can target endpoints.

  • Use an endpoint as an entry and exit point to access high-value assets and information on an organization’s network.
  • Access assets on the endpoint to exfiltrate or hold hostage, either for ransom or purely for disruption.
  • Take control of the device and use it in a botnet to execute a Denial of Service (DoS) attack.

There are many EDR tools in the market today; some are more robust than others. Below are some examples and some we use. Keep in mind this is a shortlist and is not comprehensive.

Microsoft Endpoint Manager As a Microsoft Azure Expert MSP, we use Microsoft Endpoint Manager (MEM) in our solutions. This tool helps customers take a flexible path to cloud management no matter where a business may be in their cloud journey. MEM enables you to secure, deploy, and manage all users, apps, and devices without disrupting existing processes.

Arctic Wolf Managed Detection & Response Coretek is an Arctic Wolf partner, which enables us to deliver their unique endpoint management solution. They offer a cloud-native platform with a concierge service that works directly with customer's IT teams to strengthen their security posture over time.

Citrix Endpoint Management Our partner Citrix also offers an Endpoint Management Solution. Their solution allows IT to bring every app and endpoint into one unified view.


Why is Endpoint Detection and Response Not Enough?

There are a few truths that must be accepted as part of your security program. 

  1. There are no perfect systems, technology changes rapidly, 
  2. Humans will always make mistakes. 
  3. The bad guys will find a way. 

Based on these truths, your security program should include vulnerability, misconfiguration, and change management. You should also have a plan for when humans make mistakes or click on links, buttons, and other nefarious calls to action.

Therefore, we cannot rely upon our protections alone as, over time, they will fail. That is why no matter the organization's size, we need a detection and response function to find the anomaly or intruder before they can act. The bad guy only needs to be right once. And once they are in, they need to stay under the detection radar to have time to execute their criminal plan. An exemplary detection and response program collects the security data and telemetry from all your security tools and then correlates and detects an intruder to catch them quickly and allow your teams the time needed to remove the threat before the breach happens.

Watch our recent co-led webinar with Arctic Wolf on Why EndPoint Detection & Response Is Not Enough, 


Some Tools are Not Compatible with EDR

Not all attacks against the organization are against an endpoint.  That is why a successful detection and response program has many sources of security data and telemetry available from all of the organization's security and IT tools. This data needs to be gathered, correlated, and then acted upon when there are credible alerts. In this equation, EDR is only part of the answer. The tools to help manage and secure your endpoints are significant, but they are just a small piece of the security pie. To get a complete view of the environment, the security systems and network telemetry must be available not only for endpoints but also legacy tools, printers, and some IoT devices that may not be compatible with your EDR tool—which leaves them vulnerable to an attack that no one will notice until it is too late correct course.  


You Still Need an Educated Security Team to Monitor Alerts

You can buy every security tool out there, but you are still at risk unless those tools report back to a detection and response platform—and you have a team in place to monitor and investigate alerts as they roll in. The need for an organization to detect and quickly respond to threats goes beyond organizational size; it is a fact of doing business today. In today’s world, if an organization cannot build a SOC or detection and response platform, it is recommended that they get a service to fill that gap. And suppose your business is in an industry with a high-security demand or highly regulated; in that case, you may have to comply with 24/7 security monitoring as a requirement. 


Email Phishing—Social Hacking

No matter how well you think you have protected your business from attackers, there is always the human element of an attack. And even if you are in the minority of the companies that train their employees on how to watch for phishing and other means of social hacking, it is still very likely that your employees may be the weakest link in your security posture. The indicators can often be found in email, CASB, Active Directory monitoring, and other sources well before the EDR system on its own can detect suspicious activity from these kinds of attacks. Still, sometimes these kinds of attacks can look like normal behavior; that is when the EDR, in conjunction with a comprehensive detection, response, and investigation program, can create the next layer of your protection. Together the EDR platform and your security team can mitigate the issue and learn from it to keep it from becoming a breach. But what if you don’t have the budget to hire IT security experts to work in your IT department? There are many businesses in that exact spot. This is when you can partner for Managed Detection and Response services with experts in the field who do it every day. 



Should You Partner for Detection & Response Services?

More than likely, unless you have a dedicated and fully staffed security team within your organization, you may need to assess the gaps in your detection and response program. Based on those gaps, consider finding a qualified partner to augment your program. The key is to assume that your defenses will fail one way or another, and the next crucial step is to detect and act quickly to catch the issue before it becomes a breach.

No matter your business size or industry, it is vital to have a strong security posture; if you are unsure where to begin, give us a call!

Privacy Policy
Copyright © 2021 Coretek Services | Website by NYN Website Design + Marketing | Powered by Web OS